How to Harden WordPress
May 22nd, 2008 | by blank89 |There is no guaranteed way to secure your blog, there will always be a way in, but there are ways to make sure that you’re not vulnerable to any widespread problems. Here are some tips to keep your blog under your control.
1. Minimize Total Code
This is very similar to the “keep it simple stupid” principle. The less code you have, the less vulnerable code you have. You should try to limit the number of enabled plugins, uploaded plugins and uploaded themes. The sum is only as secure as its parts; if one part is vulnerable the whole thing could be as well.
The first thing to do here is to check which plugins/themes you have installed that you don’t use. If you never use them, why do you have them installed to begin with? Next is the tough part: try to find a few plugins that you could do without. If you have more than about 10 plugins, you have too many.
Don't use themes or plugins you don't trust
2. Don’t Use Themes or Plugins You Don’t Trust
This one should be obvious. Don’t upload a plugin or theme if you don’t trust the author or the source. If you didn’t get it from an official WordPress site, that means you shouldn’t trust it. If you want to be really safe, look up the plugin and see what other people think about it.
3. Use Security Plugins
Login Lockdown and WP Security Scan are good for starters. Remember not to overdo it though, step 1 still applies here. There are a few others that are decent out there. If you still want more, here is a link to the official WordPress plugin repository with a search for plugins.
4. Check For Updates Often
Nothing stays a private vulnerability forever. As more vulnerabilities are found and released in to the wild, WordPress will come out with patches for them. This does absolutely no good if you don’t take notice of them! Make sure that you not only check for core WordPress updates, but that you check for plugin updates as well.
Some vulnerabilities go public very quickly after updates, some go public before updates. The WP team will try to give you as much warning time as possible. Don’t delay an update, or you might be the victim of a worm looking for vulnerable sites.
Checking for updates doesn’t just mean checking the plugins page and WP site for the latest updates, it also means looking for the latest advice on hardening your installation. There are some great posts out there about the details of hardening.
5. Get Involved
How much do you know about security? If you know how to code audit, by all means try your luck on a plugin or even the WP core. Follow this guy’s example, if you find a problem don’t just patch it on your server and then let the rest of us get hacked. Report it! This is how updates (step 4) come to be.
Do you know nothing about hacking? You can still do something about it if you get hacked. Describe your problem to a WP tech, see if you can give them enough information to figure out where the vulnerability is. Just because you don’t know how to fix it, doesn’t mean you can’t be useful.
6. Look For Suspicious Activity
Would you know it if you got hacked? If you can recognize the symptoms of hacked system you can stop the problem before it starts. If any forms look broken it’s possible somebody hit you with an XSS attack. Check your user list every once in a while. Are there any more admins/authors than before? Might be sql injection. Keep your eyes peeled and stay alert.
7. Minimize Impact
Sometimes despite your best efforts, you will be hacked. If you have enemies in-the-know it’s always possible that they’ll decide to do something about it. It’s not the end of the world if you get hacked. You did back up your blog, right? If you didn’t, you have nobody to blame but yourself. This is a good practice even if you didn’t have to worry about hackers. Shared hosts aren’t always responsible with your data, and disasters happen.
If you back up your files, there is much less harm done than if you have to start from scratch. Don’t lose a years worth of work because you are too lazy to backup.
8. The Human Aspect
This is perhaps the weakest part of a system security wise: the person running the show. If you spend hours a day checking for updates, auditing code, and scanning for problems on your site, it will all be for nothing if you leave your password on a peice of paper on your desk and someone finds it. Make sure nobody finds your password.
If your password is guessable (login lockdown will help you somewhat here) then it doesn’t matter if someone doesn’t know it. Don’t use your dogs name or a dictionary word for a password. If you’re in doubt, WP Security Scan has a password strength analyzer for you.
Update
If you need any motivation, check out what happened to this guy.
4 Responses to “How to Harden WordPress”
By Michael on May 25, 2008 | Reply
Thank you for mentioning my WP Security Scan plugin. It certainly is getting a lot of good use by the WordPress community.
I wanted to clear one thing up though. I noticed that you tell your readers they should remove the plugin after activating it. The plugin should not be removed. It doesn’t just do a scan (perhaps I should have named it differently). The plugin performs various functions constantly to protect your WordPress installation. Removing it will disable these various layors of protection.
By blank89 on May 25, 2008 | Reply
I corrected the article. Besides the password tool, what function does it serve by remaining installed?
By Nico on May 27, 2008 | Reply
You can also get familiarized with some common security protocols at http://www.microsoft.com/hellosecureworld7 — could be useful for those who host the WP software on their own server space, especially if you need to guard against XSS and SQL injections.